Credit card scams in the age of mobile phones (Part 1 of 2)

Zip-zaps and card swipes

Payment card scams used to be surprisingly simple, because the cards themselves had few or no technological protections to stop them being copied and cloned.

Indeed, until comparatively recently, almost all payment cards had the card number, expiry date and account holder’s name not merely printed on the front of the card but embossed into the plastic to create raised characters.

This means that transactions could be processed using a simple, non-computerized, entirely offline payment device known colloquially as a zip-zap machine, which ran a roller over the card to take an impression on two special sheets of carbon-copy paper.

One copy was the customer’s own receipt; the other was the proof of transaction, later submitted by the merchant to receive payment.

Both slips contained a full copy of those embossed characters – indeed, the merchant wouldn’t and couldn’t get paid if their copy was indistinct.

Card-present payments where the merchant had a working internet connection were handled by a simple magnetic stripe reader, using the same sort of technology as an old-school cassette player to read the data off the magstripe on the back of the card, where it is stored unencrypted and contains the same information as the front of the card.

These readers (which you can still easily buy online for just a few dollars) are tiny and unsophisticated, typically pretending to be a keyboard when they’re hooked up to a computer, so the data they acquire from a card can be read in by any application without special programming or hardware drivers.

By the 2000s, criminals had perfected the construction of so-called skimming devices, often built out of a $10 magstripe reading head and a jerry-rigged $15 mobile phone, which they would attach to legitimate card readers at ATMs, gas stations and even in unobservant (or corrupt) stores, hidden inside, underneath or alongside legitimate payment processing devices.

Skimmers would copy the card’s data at the same time that the genuine transaction was being processed, dump it into an app on the hidden mobile phone, and either store it onto a memory card for recovery a few days later, or upload it via the mobile network or Bluetooth to a waiting device operated by the criminal gang.

A sort-of second factor

The only additional protection implemented for payments made by zip-zap machines or card-swipe terminals was a very crude form of multi-factor authentication (MFA), where the merchant was expected to obtain the customer’s signature on the payment slip (as seen in the image above), and to “verify it by eye” against the signature on the back of the card.

But signature verification was close to useless, given that few merchants bothered to check carefully, and many didn’t even turn the card over to check at all.

For card-not-present transactions, such as online payments or orders over the phone, basic MFA “protection” was – and still is, to this day – limited to a short secret code, three or four digits long, typically printed on the back of the card and not recorded anywhere else.

This secret code, often referred to as the CVV, or card verification value, generally isn’t printed or embossed on the front of the card, is never coded into the magstripe data, and isn’t stored in the chip even on modern chip-based cards.

The idea is that with skimmed magstripe data alone, there isn’t enough information available for criminals to use your card online, because they don’t know the CVV.

To bypass this problem, and to enable large-scale online card fraud, cybercriminals devised, developed and have continually been tweaking and improving, the crime known as phishing.

Criminals who can lure you to a bogus but genuine-looking website, for example by enticing you with a special offer or insisting that you need to make an important but often modest-sounding payment such as a parking fine or a delivery charge, can obtain full card data, including the vital CVV, simply by persuading you to type it in on their website instead of the real thing.

Sometimes, the “payment” they request is so modest, such as $0.99 to reschedule a home delivery, that the risk of being defrauded seems low enough to be worth taking.

Except, of course, that the criminals aren’t after 99 cents right now, but after your card data to sell on (or to abuse themselves) for much bigger fraudulent purchases in the future.

Card scams in person

Not all payment-card cybercriminals are focused on fraudulent online activities.

Some have bigger goals, such as using other gang members to make fraudulent card-present transactions, perhaps in other countries, to purchase valuable items that they can carry away at once.

These are often luxury items such as jewelry, or expensive household appliances such as top-end TVs.

The idea is that although this greatly increases the risk of being caught due to showing up in person, the core criminals aren’t the ones directly exposed to arrest because they use subordinate criminals to make the purchases.

If the transaction is approved, and the goods handed over, there’s no chance of a delivery falling through due to subsequent fraud detection tools kicking in, and no need for a delivery address that could end up being staked out or raided.

In years gone by, criminal gangs could readily purchase fake card blanks from underground forums.

These blanks looked realistics enough to pass muster with most merchants.

By encoding stolen card data on the magstripe to match the name embossed on the bogus card, or even by writing data that didn’t match given that merchants tended not to notice, and by signing the back of the fake card themselves, the criminals could go on spending sprees with instant results.

Trusted members of the criminal gang would typically drive a group of “affiliates”, who were often targeted and recruited because they had visa problems or couldn’t get legitimate employment, from store to store at busy shopping times to make all manner of high-value purchases.

Shutting down the shopping sprees

This sort of crime was made much more difficult following the introduction of chip-based credit cards, which can’t simply be cloned like a magstripe card.

The chip itself is a critical cryptographic component in the payment process, using secret cryptographic keys that are written into the chip by the issuer, but that are as good as impossible to read out thereafter, thanks to the chip’s tamper-resistant design.

In countries that strictly implement Chip-and-PIN payments, where high-value card-present transactions also require the payer to input the card’s PIN, with a strict limit of three incorrect entries before the card locks itself up, even stolen cards that the criminals have in their hands are difficult to abuse in face-to-face purchases.

And in a trend that might seem to be putting the lid on “stolen card” transactions for ever, many people are now loading their payment card details into their Apple or Android phones, and using Apple Pay or Google Pay to complete their point-of-sale payments.

This means that they no longer need to carry their cards with them at all, but can leave them locked away at home.

Merchants like these new payment systems because they don’t require new point-of-sale hardware, given that your phone uses the same NFC (near-field communication) wireless technology and protocol as the payment cards it supersedes.

These phone-based payments are in some ways safer than using cards directly, given that:

• A card generally can’t be added to the Apple Wallet or Google Wallet app without first going through some sort of MFA process with your issuing bank. This is makes it difficult for criminals who already know your card details to put them into their own phone’s wallet and take over your card that way.
• Activating the wallet app to authorize a purchase requires your phone to be unlocked at the point of sale. Even if a criminal snatches your phone while it is unlocked, in a Balaclava Bandit-style robbery, this makes it hard for them to abuse your phone to make fraudulent payments in stores, because it needs to be unlocked again. Your phone’s secure data storage components are built to be at least as tamper-resistant as the chips in the cards themselves.
• The wallet app doesn’t directly store your card details to authorize payments. The payment app uses a unique identifier of its own to authorize Apple’s or Google’s payment system to authorize the transaction with your bank, and to confirm to the merchant that the payment has gone through.

What to do?

At this point, it certainly sounds as though card-present fraud is much easier to control, and much riskier for criminals to pull off, than it was in the days before chip-based payment cards or phone-based secure wallet apps.

This seems especially true for high-value items that a store is willing to let the purchaser walk out with right away, such as expensive jewelry, high-end TVs, or the latest-model laptops and mobile phones.

But the truth is more complicated than that, and we therefore recommend all of these steps:

• Build a strong, human-centric security culture in which cybercriminality of any sort is more likely to be spotted and reported. Signing up with SolCyber will actively help you to do this.
• Go beyond the advice that “if it looks phishy, it probably is.” A simpler and stronger rule is that if it LOOKS phishy, it IS phishy. Never assume that an email might be legitimate on probability alone. Criminals love using short and simple messages such as saying that you missed a home delivery. That’s because many of us use services of this sort regularly enough that coincidence alone is enough to make the messages sound plausible.
• Avoid clicking through to payment links from emails or instant messages. Landing on a bogus site where you then give away personal data to the wrong person, such as your card number or the MFA code currently showing in your authenticator app, is much more likely if you click on links provided by the sender. Get together a reliable list of important web addresses and phone numbers, such as from printed account statements, original contract documents, or the back of your credit card. Don’t rely on contact details provided by the sender, who could be anyone.
• Stop, think, and check carefully whenever you are asked for an MFA code. Even though these codes generally have a short lifetime (often a few minutes at most), never let yourself be harried into entering them. Better to have a failed legitimate login attempt than to let a valid one-time code leak to someone else. Never send or tell an MFA code to anyone else, no matter how convincing they sound.
• Add an extra layer of security to your mobile devices, which are typically protected only by basic MDM (mobile device management) tools that assume apps are working correctly and securely because they came from the App Store or Google Play. Signing up for SolCyber Mobile Protection brings your mobile threat response to a new level, including blocking phishing attempts and messaging scams that specifically target phone users.
• Now read 🔗 Part 2, where we take the lid off a whole new sort of credit card criminality that could put your finances at much bigger and more immediate risk than unwanted online purchases. We explain how some of today’s phishing criminals have adapted so they can directly target your Apple Wallet or your Google Wallet to make large, in-person purchases all around the world.

Learn more about our mobile security solution that goes beyond traditional MDM (mobile device management) software, and offers active on-device protection that’s more like the EDR (endpoint detection and response) tools you are used to on laptops, desktops and servers:

More About Duck

Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!

Featured image of old cash register by Alvaro Reyes via Unsplash.